DEX policies for macOS
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of DEX policies for macOS
DEX policies for macOS define rules and configurations to ensure consistent, secure, and compliant use of the ServiceNow application on macOS devices. These policies help organizations minimize data breach risks, enhance data quality and accuracy, and optimize application performance and availability.
Show less
macOS Sudoers Configuration
To enable full data retrieval on macOS systems, specific sudo permissions must be configured in the /private/etc/sudoers.d/servicenow file. This configuration allows the servicenow user to execute a predefined set of approved commands (such as system metrics collection, process management, and script execution) without requiring a password and without needing a TTY. It also permits environment variables to be preserved during execution. This setup is critical for enabling automated data collection and management tasks securely and efficiently.
Key Policies for macOS Applications and Devices
- Application Metrics Collection: Periodically collects application metrics like CPU usage, memory usage, uptime, I/O usage, running status, last access time, and crash reports every 5 minutes using historical data.
- Device Metrics Collection: Multiple policies collect macOS device metrics at various intervals (ranging from 60 seconds to 24 hours). These metrics include uptime, logged-in users, firewall status, disk and OS details, CPU and memory usage, battery status, network information, pending updates, device events, and compliance data.
- Process Data Collection: Gathers information about running macOS processes every 24 hours to maintain current process data.
- Energy Consumption and VPN Details: Collects energy consumption data every 5 minutes and VPN details every 30 minutes to monitor device resource use and connectivity.
- Real-Time User and Device Configuration Updates: Policies are in place to detect and send logged-in user and device configuration changes every 60 seconds to keep ServiceNow updated with the latest system state.
Practical Considerations
- If a check instance runs longer than five minutes, the subsequent scheduled check is skipped to avoid overlap.
- Historical data retained in the MetricBase database covers the last 7 days, while other policies focus on the latest available data.
- After upgrading the Content Playbook plugin, customers may encounter policy update issues; ServiceNow provides a knowledge base article for troubleshooting this scenario.
What ServiceNow Customers Can Expect
By implementing these DEX policies for macOS, organizations can automate comprehensive monitoring and data collection of macOS devices and applications. This enables proactive security enforcement, compliance tracking, performance optimization, and timely insight into system and user activity—all contributing to improved operational efficiency and risk reduction.
Policies for macOS are guidelines and rules to promote that the application is used in a consistent, secure, and conforming manner. DEX policies your organization to reduce the risk of data breaches, improve data quality and accuracy, and optimize application performance and availability.
For macOS systems, to retrieve the entire data, include the subsequent content to /private/etc/sudoers.d/_servicenow.
# ServiceNow Agent Collector - Sudoers Configuration for macOS
# Command alias for ServiceNow allowed commands
# These commands can be executed by the _servicenow user with sudo privileges
Cmnd_Alias SN_ALLOWED = /usr/bin/powermetrics, \
/usr/bin/mdls, \
/usr/bin/log, \
/usr/bin/log show *, \
/bin/kill, \
/usr/bin/defaults, \
/usr/local/bin/jamf, \
/bin/rm, \
/bin/ls, \
/usr/bin/pgrep, \
/usr/bin/find, \
/usr/bin/pmset, \
/usr/bin/open, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/app_freeze.sh, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/zscaler_zpa_reconnect.sh, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/clear_google_chrome_browsing_data.sh, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/services.sh, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/restart_service.sh *, \
/Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli, \
/Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/elevate_temporary_admin.sh
# ServiceNow user permissions
# _servicenow user can run osqueryi and all SN_ALLOWED commands without password
# SETENV allows environment variables to be preserved
_servicenow ALL=NOPASSWD: SETENV: /Library/Application\ Support/servicenow/agent-client-collector/cache/osquery/bin/osqueryi *, SN_ALLOWED
# Defaults for _servicenow user
# !requiretty: Allow sudo without a TTY (required for automated scripts)
Defaults:_servicenow !requirettyCmnd_Alias SN_ALLOWED = /usr/bin/powermetrics, /usr/bin/mdls, /usr/bin/log, /bin/kill, /usr/bin/defaults, /usr/local/bin/jamf, /bin/rm, /bin/ls, /usr/bin/pgrep, /usr/bin/find, /usr/bin/pmset, /usr/bin/open, /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/app_freeze.sh, /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/zscaler_zpa_reconnect.sh, /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/clear_google_chrome_browsing_data.sh, /bin/sh /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/services.sh, /bin/sh /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/restart_service.sh *, /Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli, /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/elevate_temporary_admin.sh
_servicenow ALL=NOPASSWD: SETENV: /Library/Application\ Support/servicenow/agent-client-collector/cache/osquery/bin/osqueryi *, SN_ALLOWED
Defaults:_servicenow !requiretty
Defaults timestamp_timeout=0
Defaults log_allowedNote:
The historical data for an application or device is the information that is kept in the MetricBase database for the past 7
days, while the latest data pertains to the most recent information available.
Policies for Mac — Application
DEX provides the following policies for applications.
| Policy name | Description | Check instances | Frequency | Historical or latest | Check instance parameters |
|---|---|---|---|---|---|
| DEX Mac Apps Metrics | Collects the application metrics in the Mac device and sends metric data to Metric Base. | os.mac.check-app-historical | 5 mins | Historical | cpu_usage, memory_usage, uptime, io_usage_read, io_usage_write, is_running, last_access_time, crashes |
Policies for Mac — Device
DEX provides the following policies for devices.
| Policy name | Description | Check instances | Frequency | Historical or latest | Check instance parameters |
|---|---|---|---|---|---|
| DEX Mac Device Metrics | Collects macOS device metrics and sends the metric data to the ServiceNow instance. | os.mac.check-system-metrics-latest | 24 hours | Latest | uptime, logged_in, firewall_enabled, session_details, disk_details, os_details, cpu_details, battery_details, device_details, network_details, pending_updates, device_events, cpu_usage, memory_details, os_setup_details, last_access_time, reboot_details |
| DEX Mac Device Metrics | Collects macOS device metrics and sends the metric data to MetricBase. | os.mac.check-system-metrics-historical | 5 mins | Historical | disk_usage, io_usage_write, io_usage_read, power_consumption, cpu_usage, memory_details, uptime, crashes, battery_charge_percentage, wifi_transmit_rate, wifi_rssi |
| DEX Mac Device Metrics | Collects data for running macOS processes and sends the data to the ServiceNow instance. | os.mac.check-process-data | 24 hours | N/A | N/A |
| DEX Mac Device Metrics | Collects macOS device metrics and sends the metric data to the ServiceNow instance. |
os.mac.check-sys-compliance-historical |
5 minutes | Historical | N/A |
| DEX Mac Device Metrics | Collects macOS device metrics and sends the metric data to the ServiceNow instance. |
os.mac.check-sys-compliance-latest |
24 Hours | Latest | N/A |
| DEX Mac Device Metrics |
Collects macOS device metrics and sends the metric data to the ServiceNow instance.
Note: If the previous check runs for more than five minutes, the current check gets skipped. |
os.mac.check-energy-consum-historical |
5 minutes | Historical | N/A |
| DEX Mac Device Metrics |
Collects macOS device metrics and sends the metric data to the ServiceNow instance. |
os.mac.check-system-metrics-historical | 30 minutes | Historical | vpn_details |
| DEX Get online macOS user on change | Gets a logged-in user's data on a macOS device whenever there’s a change. | os.mac.check-system-custom-query-on-chan | 60 secs | Latest | query,query_sys_id, query_type |
| DEX Get device configuration on change | Gets a logged-in user's device configuration whenever there’s a change. | os.all.check.internal.get-device-configu | 60 secs | Latest | N/A |
Note:
If you upgrade the Content Playbook plugin on an instance and encounter unexpected policy update issues, see the Troubleshooting: Policy update issues post DEX plugin upgrade [KB1586917] article in the Now Support knowledge base.